Subscribe to our Threatpost Today newsletter

Join thousands of people who receive the latest breaking cybersecurity news every day.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

*

*

I agree to my personal data being stored and used to receive the newsletter

*

I agree to accept information and occasional commercial offers from Threatpost partners

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

In a statement on the Web site of Wikileaks, the organization published links to 167 email messages – a first installment on what it claims is a trove of5 million Stratfor e-mails stolen in a hack in December, 2011.The messages in question “reveal the inner workings of a company that fronts as an intelligence publisher, but provides confidential intelligence services to large corporations, such as Bhopal’s Dow Chemical Co., Lockheed Martin, Northrop Grumman, Raytheon and government agencies, including the US Department of Homeland Security, the US Marines and the US Defence Intelligence Agency,” the Wikileaks page states. Wikileaks coordinated its release with dozens of publications around the globe including Rolling Stone Magazine, McClatchy News, The Hindu Times and La Republica.

In a statement released Monday, Stratfor called the publication by Wikileaks a “deplorable, unfortunate — and illegal — breach of privacy.” Echoing firms like Anonymous target HBGary Federal, it also warned that some of the leaked e-mails may be forged, but said it would not make any effort to sort out legitimate from illegitimate communications.

“Having had our property stolen, we will not be victimized twice by submitting to questioning about them,” the company said.

Though Wikileaks promotes itself as a whistleblower Web site, the e-mail messages from Stratfor were taken in an illegal hack by members of the anarchic hacking collective Anonymous. Anonymous has accused the company of being engaged in spying on behalf of, and in cahoots with the U.S. government, defense contractors and the media – charges that Friedman has strenuously denied. In an e-mail to customers, Friedman claimed the attack was an attempt by Anonymous and its followers to silence his firm.

Anonymous used a Twitter account affiliated with the group to take credit for passing the e-mails to Wikileaks on December 29, shortly after the Christmas Eve hack. Wikileaks .

Data stolen by the group has been dribbling out in the weeks since the comrpomise. On December 31, Anonymous released 75,000 names, addresses, credit card numbers and md5 hashed passwords for Stratfor’s customers, as well as more than 800,000 usernames, email addresses, and md5 hashed passwords for individuals who registered on Stratfor’s Web site.

Following the hack, a number of security problems were identified on Stratfor’s network. Among other things, account information and passwords were stored in clear text on Stratfor’s servers, or weakly protected with encryption.

With the e-mails released, focus now shifts to the information contained in them. That could prove to be embarrassing both for Stratfor employees and their many private- and public sector correspondences, just as leaked e-mail from the D.C. firm HBGary Federal did a year ago.

Among the e-mail exchanges released is one between Friedman and former senior Bush Administration tactician Karl Rove concerning an effort to arrange a meeting between the Indonesian Ambassador to the United States, Dino Djalal, and the former President. Other e-mail messages include sensitve information on Stratfor customers paying the firm for “Protective Intelligence” services, and capture open-source intelligence sharing between Stratfor’s various regional operatives and headquarters.

In its statement, Stratfor said that the disclosure of the emails “does not mean that there has been another hack of Stratfor’s computer and data systems,” and that its data systems”remain secure and protected.”

Discussion

In order to "remain secure and protected" the web sites must first BE "secure and protected", which was apparently not the case, Mr. Friedman.

How convenient to say "we won't answer any questions" while first raising doubts about the authenticity of the emails with "some may be forged". If I had to guess, it will not be necessary to commit forgery to produce some email content that will be embarassing to Stratfor: hell, if they were willing to falsify stuff, why take on the risk of stealing it in the first place?

Answering questions, clarifying intent and identifying what's real and what's false is a mature and responsible action, Stratfor. Refusing to face the heat when put on the spot for your actions because it 'makes you a victim twice' is the response one might expect of a petulant teenager, or an addict who is in denial of his problem.

In contrast, other than their illicit hacking Anonymous has generally shown themselves to adhere to a higher standard of veracity than most of their 'victims'.

Mr. Friedman's claims of security of the Stratfor web site are laughably silly now that it's come to light that the password policy in effect on its site allowed single-character passwords. Maybe the strategic intel they disseminate is good, but no one can take seriously any claims of great security expertise when their protections were so laughably weak in the first place.

This continuing spin just ensures that Stratfor will remain an object of ridicule until they "man up" and admit that they fell down on the job of securing this information. Their implicit pre-emptive denials of "they might be forged" will hold little water if any "troubling collaborations" are found in the email contents.

Is it noble to remain above the controversy? Apparently Mr Friedman thinks it will be perceived that way. I think it will be perceived as haughty and self-serving evasion, but ultimately it's Stratfor's customers who will determine whether they remain a viable player on the info-sec scene.

So sad, but not shocking. The financial companies I have worked with also have very laughable security in place. When you point it out to them they act like what you are saying is not true and they know what they are doing. Once they get owned I will gladly point fingers and supply emails for there negligence.

Authors

Threatpost

InfoSec Insider Post

InfoSec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Post

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.